[Bug 8411] New: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory
bugzilla at busybox.net
bugzilla at busybox.net
Tue Oct 20 00:29:12 UTC 2015
https://bugs.busybox.net/show_bug.cgi?id=8411
Summary: Directory traversal via crafted tar file which
contains a symlink pointing outside of the current
directory
Product: Busybox
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
AssignedTo: unassigned at busybox.net
ReportedBy: tyhicks at canonical.com
CC: busybox-cvs at busybox.net
Estimated Hours: 0.0
It was discovered that busybox's tar implementation will extract a symlink that
points outside of the current working directory and follow that symlink when
extracting other files. This allows for a directory traversal attack when
extracting untrusted tarballs.
This behavior is documented in the source code:
http://git.busybox.net/busybox/tree/archival/tar.c#n25
I took a quick look at how GNU tar handles such situations. If the symlink
target is absolute or contains a ".." component, they create a regular file as
a placeholder. After all other files have been extracted, the placeholder files
are replaced with the originally intended symlinks.
(That is also how they handle hardlink extraction but I don't see any support
for LNKTYPE files in busybox tar.)
--
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list